New Legal Framework for Personal Data Protection in Mexico: Implications for the Public Sector

‍

‍A New Regulatory Stage for Data Management in the Public Sector

‍

On March 20, 2025, Mexico published the General Law on the Protection of Personal Data Held by Obligated Entities, as part of a broader legislative package that redefines the institutional and legal model for transparency and privacy in the country. This law replaces the previous framework and imposes stricter standards on public authorities, autonomous bodies, and other obligated entities.

This change affects all authorities across the three branches of government, political parties, trusts, public funds, and any public entity processing personal data. Through new obligations, guiding principles, and supervisory mechanisms, the law aims to strengthen personal data protection nationwide.

The elimination of the INAI and the transfer of its functions to the Ministry of Anti-Corruption and Good Governance marks a pivotal shift in the institutional structure for rights protection. New tools such as impact assessments and expanded ARCO rights reinforce the role of data subjects.

This article outlines the main elements of the new regime, its legal implications, and the strategic measures obligated entities must adopt.

‍

Key Provisions: New Rules for Obligated Entities

Guiding Principles for Data Processing

‍

The law establishes binding principles that apply to public entities managing personal data:

• Lawfulness: Processing must be justified and legally grounded.
• Purpose limitation: Data may only be used for explicitly stated purposes.
• Fairness and consent: Subjects must be informed, and consent must be obtained when required.
• Data quality and proportionality: Data must be accurate, adequate, and not excessive.
• Transparency and accountability: Entities must provide clear information and be accountable for compliance.
  
  

These principles apply to collection, use, storage, and transfer of data by any obligated entity.

Expanded ARCO Rights

‍

The law strengthens ARCO rights (Access, Rectification, Cancellation, Opposition), and introduces:

• Data portability: The right to obtain personal data in a structured format.
• Objection to automated processing: The right to reject decisions made solely by algorithms or AI.

These provisions position data subjects as active participants in how public entities manage personal information.

‍

Mandatory Security Measures

‍

Entities must implement administrative, technical, and physical security measures. These include:

• Access controls and authentication
• Internal data governance policies
• Incident response procedures
• Ongoing risk assessment and monitoring
  
  

Compliance with these measures is essential to protect data and institutional credibility.

‍

Impact Assessments, Sanctions, and the New Supervisory Authority

Data Protection Impact Assessments: Mandatory Legal Prevention

‍

Obligated entities must conduct impact assessments when implementing systems or processes that pose significant risks to individuals. These must include:

• Data flow and purpose
• Identification of potential risks
• Mitigation and control measures
• Legal justifications and proportionality analysis
  
  

This approach embeds privacy into the design and operation of public systems.

‍

Sanctions Regime: Legal Consequences of Non-Compliance

‍

Violations of the law can lead to:

• Administrative fines, scaled by severity and harm
• Corrective orders, including data deletion or process suspension
• Personal liability of public officials who act negligently or unlawfully
• Legal reviews initiated by subjects or the supervisory authority
  
  

Entities must build solid, documented processes to avoid exposure.

The Ministry for Anti-Corruption and Good Governance as Supervisory Authority

‍

This agency now has exclusive authority to:

• Interpret and enforce the law
• Resolve appeals from data subjects
• Supervise compliance and impose sanctions
• Operate the National Transparency Platform
  
  

Replacing the INAI, this centralized model requires adaptation to new procedures, standards, and reporting mechanisms.

Strategic Implications for Obligated Entities: Compliance, Prevention, and Governance

Increased Institutional Responsibility

‍

Leaders of administrative units must document compliance actions and ensure that measures are in place to avoid violations. This redefines privacy as a key operational function—on par with budgeting and auditing.

The principle of proactive responsibility demands action before a breach occurs, including:

• Internal process reviews
• Staff training
• Documentation of key decisions
• Defined response protocols
  
  

Coordination Between Legal, Tech, and Operational Areas

‍

Due to the cross-cutting nature of personal data management, entities must coordinate across departments. This involves:

• Formally approved internal policies
• Database management and update procedures
• Incident response protocols
• Periodic compliance audits
  
  

Public-sector privacy cannot rely on isolated legal documents—it requires systemic alignment.

‍

Non-Compliance Risks: Legal, Operational, and Reputational

‍

Failure to comply may result in:

• Administrative or disciplinary proceeding
• Public loss of trust
• Budgetary or auditing obstacles
• Legal actions for rights violations
  
  

Data protection is now a pillar of institutional legitimacy.

Conclusion: Legal Compliance as Institutional Policy

‍

The General Law on the Protection of Personal Data Held by Obligated Entities marks a new era for public-sector data management in Mexico. It introduces stronger rights, clearer rules, and new enforcement tools.

For public institutions, compliance is now a requirement for legal certainty, accountability, and sustainable governance.

At EBL Consulting Group, we advise public entities on how to implement this new framework, mitigate risks, and build real, traceable, and measurable data protection strategies.

‍